diff options
author | Andreas Schneider <mail@cynapses.org> | 2009-09-03 17:11:42 +0200 |
---|---|---|
committer | Andreas Schneider <mail@cynapses.org> | 2009-09-03 17:11:42 +0200 |
commit | 8344598910e96899c16011559f2e9f8f26c4d24d (patch) | |
tree | 5efe5e18a6904f0db31e9060b9789ac1189d91a9 /libssh/buffer.c | |
parent | 16870abed7a13ae92a246f9ea85f3b58b08f0ede (diff) | |
download | libssh-8344598910e96899c16011559f2e9f8f26c4d24d.tar.gz libssh-8344598910e96899c16011559f2e9f8f26c4d24d.tar.xz libssh-8344598910e96899c16011559f2e9f8f26c4d24d.zip |
Fix an integer overflow in buffer_get_data().
Thanks to Orange Labs for the report.
Diffstat (limited to 'libssh/buffer.c')
-rw-r--r-- | libssh/buffer.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/libssh/buffer.c b/libssh/buffer.c index d3d249e..2f450b5 100644 --- a/libssh/buffer.c +++ b/libssh/buffer.c @@ -339,8 +339,13 @@ uint32_t buffer_pass_bytes_end(struct ssh_buffer_struct *buffer, uint32_t len){ * \returns len otherwise. */ uint32_t buffer_get_data(struct ssh_buffer_struct *buffer, void *data, uint32_t len){ - if(buffer->pos+len>buffer->used) - return 0; /*no enough data in buffer */ + /* + * Check for a integer overflow first, then check if not enough data is in + * the buffer. + */ + if (buffer->pos + len < len || buffer->pos + len > buffer->used) { + return 0; + } memcpy(data,buffer->data+buffer->pos,len); buffer->pos+=len; return len; /* no yet support for partial reads (is it really needed ?? ) */ |